Amendment of Regulation O. Reg. 329/04 (General) under the Personal Health Information Protection Act, 2004 (PHIPA) to provide validation, verification and authentication services and support access to personal health information held in the Electronic Health Record (EHR)
Regulation Number(s):
329/04
Instrument Type:
Regulation - LGIC
Bill or Act:
Personal Health Information Protection Act, 2004
Summary of Proposal:
The provincial EHR is a secure lifetime record of a patient's health history that is managed by Ontario Health (OH) and used by health care providers to make clinical decisions and support integrated care. The two proposed amending regulations to the General regulation under PHIPA, if approved, would provide the framework for:
1) Ontario Health's provision of validation, verification, authentication and Ontario Health Account management services to enable the collection, use and disclosure of health card information from an individual to support access to approved Digital Health Resources, use the digital means of access through OH to certain personal health information (PHI) from the Electronic Health Record (EHR) if s. 51(5) is proclaimed and when OH acts as a prescribed person for the purposes of clause 39(1)(c) of the act.; and
2) Enabling OH to provide individual access to certain PHI in the provincial Electronic Health Record (EHR) and certain electronic audit records kept by OH, if s. 51(5) of PHIPA is proclaimed.
Overall, the proposed amending regulations would, if approved:
1. Validation, Verification and Authentication Services Regulation
If approved, this proposed amending regulation would allow OH to collect, use and disclose PHI, including from the individual's health card, with their express consent, for the purpose of providing validation, verification and authentication services as well as Ontario Health Account management services. These services would be used to support access to approved "Digital Health Resources" (as defined in the proposed regulation).
By leveraging common government services, OH would be able to conduct the following for eligible individuals:
• Validate the health number and additional health card information provided by the individual.
• Verify the identity of the individual providing their health number and health card information, and such other identifying information as may be requested by OH.
• Create and maintain an Ontario Health Account, that the individual will be able to use to access authentication services that OH will provide to an approved health information custodian (HIC) in respect of their approved Digital Health Resource.
Using the Ontario Health Account, individuals would be able to access approved Digital Health Resources as well as use the digital means of access through OH to certain PHI from their EHR, as well as certain records kept by OH, if s. 51(5) is proclaimed, digital means of access referred to in sections 18.1.1 and 18.1.2 of this Regulation to request and receive access to a record of personal health information described in those sections, and when OH acts as a prescribed person for the purposes of clause 39(1)(c) of the act.
If approved, this proposed amending regulation would enable approved HICs to use OH's authentication services to support individual authentication to access approved Digital Health Resources. In consultation with the Minister of Health, OH would be required to create eligibility criteria and a process for the approval of Digital Health Resources seeking to use these authentication services. The eligibility criteria and approval process will be published on OH's website.
In addition, these proposed amendments would, among other things, require OH to:
• In consultation with the Minister of Health, develop and publish a policy about which individuals are eligible for the provision of validation, verification and authentication services as well as Ontario Health Account management services.
• Provide services that maintain an individual's Ontario Health Account, including the confidentiality, integrity, availability, deactivation, reactivation or disposal of an individual's Ontario Health Account;
• Require any persons that would be acting on its behalf, including an agent or service provider, to agree to comply with the restrictions and conditions that apply to OH prior to letting them access or deal with the PHI that is collected or used in the course of providing these validation, verification and authentication services or OHA management services.
• Notify the Information and Privacy Commissioner of Ontario in certain circumstances, certain HICs and affected individuals if their PHI that was collected or used by OH in the provision of validation, verification and authentication services or OHA management services is stolen, lost, used or disclosed without authority.
2. EHR Access Regulation
If approved, the proposed amending regulation would revoke subsection 1(1) of O. Reg. 394/22 and add provisions to support the implementation of s. 51(5) to enable individual access to certain PHI held in the provincial EHR ("EHR Records") and certain electronic records kept by OH ("Audit Records"). This amending regulation, which would be effective upon proclamation of s. 51(5) of PHIPA, if approved, would, among other things:
• Establish the scope of the EHR Records that would be available for individual access under s. 51(5);
• Establish that Ontario Health, as the prescribed organization (PO), would provide EHR Records through a digital means of access to individuals specified by OH who have an OHA, or direct individuals to alternative means of access for individuals who are unwilling or unable to use the digital means of access;
• For EHR records, clarify that OH is not required to consider the exceptions from the right to access listed in s. 52(1) but would establish a notification process with HICs that have provided or intend to provide records to the EHR ("Contributing HICs");
• Enable OH to deactivate access through the digital means of access to all of the affected individual's records if a Contributing HIC has notified OH about a s. 52(1) exception applying to record(s) that the HIC has provided or intends to provide to the EHR;
• Outline OH's responsibilities vis-à-vis Contributing HICs and individuals seeking their records upon deactivating access through the digital means of access;
• Exempt OH from the requirement in s. 52(1.1) to provide the records through the digital means of access in the electronic formats specified in that subsection;
• Exempt OH from the requirements under s. 52(4) to (7) relating to provisions for HICs at the point of care;
• Exempt OH from the requirement under s. 55 to correct EHR Records; and
• For the Audit Records (i.e., the records described in paragraph 2 of s. 51(5)), permit OH to only provide summaries of such records; provide OH with an initial period of 90 days to provide such summaries; and enable OH to only prepare summaries for the 12-month period preceding the request. These summaries would be provided via the digital means of access for individuals specified by OH who have an OHA or an alternative process for individuals who are unwilling or unable to use the digital means of access.
S. 51(6) of PHIPA which provides a general right of access to records in the custody of a HIC on when an individual's PHI in the EHR has been viewed, handled or dealt with by the HIC (e.g., audit logs) would also be proclaimed at the same time as s.51(5), if approved. The proposed regulation would only require that HICs provide summaries of such access logs, if available.
Analysis of Regulatory Impact:
Work is currently underway analyzing possible administrative and compliance costs to businesses and professionals that may result from this regulatory proposal. To further inform this analysis we encourage you to provide your feedback.
Further Information:
Proposal Number:
24-HLTC020
Posting Date:
July 5, 2024
Comments Due Date:
September 4, 2024
Contact Address:
Digital Health Program Branch
Digital and Analytics Strategy Divison
222 Jarvis Street, 7th Floor
Toronto ON M7A 0B6
Ministry of Health || Ministry of Long-Term Care
Email: digitalhealthprogrambranch@ontario.ca